Software, your way.
burger menu icon
WillMaster

WillMaster > LibrarySecurity and Blocking

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

Problem Solved; Access by many without compromising information

(This is a true story about a real problem that was solved with current and readily available technology.)

While developing self-replicating sites for essentialoilsrus.com, I came up against an interesting problem.

Sites are purchased at essentialoilsrus.com by distributors of a certain line of products. Each replicated site has a common product database and a common shopping cart. However, the fulfillment company can not accept orders sent directly to their server. They must receive orders by telephone or by FAX.

Product distributors need to FAX or telephone their own orders.

Emailing orders to individual distributors so they can then FAX or telephone them to the fulfillment company would not be secure, thus not acceptable. Using PGP encrypted email would require training each distributor to use it. Again, not acceptable.

What's needed:

  1. Order information needs to be stored on a secure server and retrieved by individual distributors so they can then FAX or telephone them to the fulfillment company. Retrieving from the secure server must be done without compromising the personal and financial information of other distributor's orders.
     
  2. When the distributor retrieves orders from the secure server, the environment of the distributor's computer can not be known. It might be a computer in a one-person office or it might be in an internet cafe where others have access to the same computer. As much security as possible needs to be implemented for diverse computer environments.

It was a nice little problem, the kind I enjoy solving.

Security on the Secure Server

Distributors already have usernames and passwords to access the control panel for customizing their replicated sites. When a distributor's site receives a product order, the distributor receives an email with a unique order number. The username, password, and order number are all required to retrieve the order's payment and other information from the secure server.

Thus, even with a stolen username and password, unique order numbers must be known before an order's information can be retrieved.

Security in the Distributor's Computer Environment

Implementing as much security as possible in the distributor's computer environment required more thought than did the secure server solution.

When the distributor retrieves an order, the order must be presented in the browser ready to print for FAXing to the fulfillment company or for reading while telephoning the order.

Server side programming has its limitations. For example, while the order is on the screen, nothing can be done about others looking at it. And the printed copy's distribution can not be effectively restricted.

However, there were some things I could do.

  • Instead of plain text, credit card numbers could be displayed on the screen with graphics.
     
    • If the distributor saves the page to his/her hard drive, an extra step of saving the images must be taken in order to save the credit card numbers. The numbers on the images appear like the surrounding text; not saving the images would reduce such thoughtless security risk.
       
    • The file names of the graphics could be temporary. Once the page with the order information is loaded into the browser, the file names can be deleted.
       
    • Because temporary, randomly generated file names are used, image file names from any pages saved to the distributors hard drive could not be used for determining the credit card numbers of other saved pages.
       
  • The distributor could be requested to log off when done. Logging off can delete all information on the secure server related to the retrieved orders.

Currently, there are several dozen replicated sites at essentialoilsrus.com. The implemented solution will work okay when there are several hundred, and even several thousand, replicated sites.

Will Bontrager

Was this article helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method

All information in WillMaster Library articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC